Managing Employee's Expectation of Privacy

In a recently filed lawsuit, FDA whistleblowers allege that their emails were monitored once they told Congress the agency was approving medical devices that were risky to patients.

FDA employees (and former employees) are saying that the FDA initiated email monitoring after these complaints, and that in doing so, it violated their Constitutional rights. They categorize the monitoring an unlawful search and seizure, and a violation of their rights to free speech and association.

The FDA, on the other hand, indicated that when logging onto the network, employees are warned they may be monitored and should not have an expectation of privacy. Now, the article quotes the agency, but does not get specific as to what this warning looks like. If it is like many places, it is a click through banner where the employee must accept the warning before proceeding.

Further, the article indicated that the FDA began "surveillance of the employee's personal email accounts, which they accessed from Government computers". So the question is--does the click through banner indicating no expectation of privacy should be held by the employee extend to their personal email accounts when they access them from work? This will be a very interesting case to follow, given some of the rulings we've seen around similar issues.

In Ontario v. Quon, the Supreme Court ruled that employers have the right to read text messages—including personal ones—when they own the equipment (phone) that it was sent/received from, and when they have reason to believe that workplace rules are being broken.

In that ruling, Justice Scalia asserts “…that government searches to retrieve work-related materials or to investigate violations of workplace rules—searches of the sort that are regarded as reasonable and normal in the private-employer context—do not violate the …(Fourth) Amendment.”

Now, that ruling addressed cell phone texting on a work-owned phone, and not personal email accounts accessed through a work computer, but the most important point seems to be that because the search was motivated by a legitimate work-related purpose, it was lawful.

In Stengart v. Loving Care Agency, Inc., the New Jersey Supreme Court ruled in a case where an employee sent emails to/from her attorney via her personal Yahoo email account, but using a company laptop.

When she left the company and filed suit against them, the employer had a forensic analysis done on the laptop. It obtained copies of some of the emails from the internet cache folders, and even though the emails contained language about privilege and how the emails were intended only for the recipient, the employer asserted they were fair game.

The court ruled that just because Stengart was using her employer provided laptop, that doesn’t dispel her expectation of privacy when accessing her personal email account. According to the New Jersey Supreme Court, “a policy that provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal password-protected email account using the company’s computer system, would not be enforceable.”

The FDA case seems to fall somewhere in between these two rulings. While the monitoring may be justifiable as a legitimate work-related investigation (not knowing the details, I can only assume), which would make the communications on the company’s email systems subject to monitoring should be within the realm of not violating their Fourth Amendment rights.

However, when it extends to their personal email accounts, even if they are not attorney-client communications, it becomes possible that a line was crossed.

The take home for companies should be to make sure their Acceptable Use policies are clear, and that their systems have those click through banners that users must acknowledge that monitoring is a possibility on company owned systems—that is the basic beginning for dispelling that expectation of privacy.

However, if during the course of an investigation, private communications are intercepted, the company should be guided by their Legal Counsel on how to proceed. The outcome of the FDA case will hopefully provide further clarity in this somewhat murky issue.

Mark H.
Another aspect to this is that gmail uses https. Generally, computer users are trained that this is encrypted end-to-end and that they have a reasonable expectation of security and privacy based on that. Unless the organization specifically informs users it is doing "man-in-the-middle" monitoring of "secure" web sessions, that could be an issue. Without clearly spelling that out in any consent click-through, would users reasonably be expected to know the organization can (for instance) decrypt and/or modify any of their bank logins/transactions? After all, a bank site itself may very well be telling them otherwise.

1328209354

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.